Trying to Use ESAPI But getting Error
I am trying to use ESAPI.jar for providing security to my web application.Basically I have just started using ESAPI.jar. But problem is I am not able to run even a simple program using ESAPI. The small code snippet is:
String clean = ESAPI.encoder().canonicalize("someString");
Randomizer r=ESAPI.randomizer();
System.out.println(r);
System.out.println开发者_如何学Python(clean);
I get this error:
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: D:\Eclipse-Workspace\Test\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Not found in 'user.home' (C:\Documents and Settings\user.user) directory: C:\Documents and Settings\user.user\esapi\ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
ESAPI.properties could not be loaded by any means. Fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
Exception in thread "main" org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception.
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
at org.owasp.esapi.ESAPI.securityConfiguration(ESAPI.java:184)
at org.owasp.esapi.ESAPI.encoder(ESAPI.java:99)
at org.rancore.testJasp.TestEsapi.main(TestEsapi.java:59)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:86)
... 3 more
Caused by: org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail.
at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439)
at org.owasp.esapi.reference.DefaultSecurityConfiguration.<init>(DefaultSecurityConfiguration.java:227)
at org.owasp.esapi.reference.DefaultSecurityConfiguration.getInstance(DefaultSecurityConfiguration.java:75)
... 8 more
Caused by: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfigurationFromClasspath(DefaultSecurityConfiguration.java:667)
at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:436)
... 10 more
I have tried copying the 3 ESAPI properties files in my source folder and also configuring them on build path but still I have not succeeded. I have tried many permutations and combinations to no avail.
Please guide me.
The content of property file is:
# User Messages
Error.creating.randomizer=Error creating randomizer
This.is.test.message=This {0} is {1} a test {2} message
# Validation Messages
# Log Messages
The ESAPI.properties file should have more than 3 lines in it. See for example:
https://web.archive.org/web/20150904064147/http://code.google.com:80/p/owasp-esapi-java/source/browse/trunk/configuration/esapi/ESAPI.properties
In my experience the ESAPI.properties file either needs to be in the same folder as the esapi.jar or needs to be compiled into the jar in a resources directory.
/resources/ESAPI.properties
I believe that either one should work. If ESAPI does not find the file it one location it looks in others.
The code for that is here around line 620:
https://web.archive.org/web/20161005210258/http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
I just struggled through this one myself.
- I created a folder called esapi in my C:/users/myname/ directory and loaded up the ESAPI.properties, validation.properties, and the ESAPI-AccessControlPolicy.xml which got me past all the not finding files errors. ESAPI looks in several places for the files. I'm running Windows 7 64 bit by the way.
- Then I had to update some of the jars. I should have done this from the beginning, but I didn't know it. I was getting this error: AccessController class (org.owasp.esapi.reference.DefaultAccessController) CTOR threw exception. for every jar that needed to be a newer version, like commons collections or log4j. At the bottom of the stack trace it would reference the offending jar.
When I added the newer jars from the esapi lib directory everything just worked!
I got this message at the end in my console:
ESAPI.accessController found: org.owasp.esapi.reference.DefaultAccessController@1cb8deef
Note: There is an ESAPI_en_US.properties file, but it's the one with only a few lines in it. Just use the file in: \esapi-2.1.0-dist\src\test\resources\esapi\ESAPI.properties. That is the full complete file.
After having this problem and looking at the installation documentation (esapi-x.x.x-dist\documentation\esapi4java-core-x-x-install-guide.pdf) I found a very useful section which detailed that the properties file can be anywhere, provided a vm flag (-Dorg.owasp.esapi.resources=path"
) points to a particular directory.
For example, if I stick the file in a "resources" folder at the root of my project directory, then the flag would be:
-Dorg.owasp.esapi.resources="path\to\project\root\resources"
The reference SecurityConfiguration manages all the settings used by the ESAPI in a single place. In this reference implementation, resources can be put in several locations, which are searched in the following order:
1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).
2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory. You can set this on the java command line as follows (for example):
java -Dorg.owasp.esapi.resources="C:\temp\resources"
You may have to add this to the start-up script that starts your web server. For example, for Tomcat, in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the -D string above.
3) Inside the System.getProperty( "user.home" ) + "/.esapi" directory (supported for backward compatibility) or inside the System.getProperty( "user.home" ) + "/esapi" directory.
4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)
Can you put your file (with this name) in:
D:\Eclipse-Workspace\Test\ESAPI.properties
And show us the contents and exception again.
- Extract the esapi jar
- create a folder named resources under
org.owasp.esapi
- copy
ESAPI.properties
to theorg.owasp.esapi.resources
- Build and deploy
extract the jar add properties file under resources folder.
initially getting same error, after updating properties file it worked for me
Thanks for providing the information
-Dorg.owasp.esapi.resources="path\to\project\root\resources"
This is a good source of information and has resolved my issue
I had the same problem too. I resolved it using a little bit of James Drinkard solution. What I basically did is created a new folder with name ESAPI and added ESAPI.properties file, Validation.properties, and the ESAPI-AccessControlPolicy.xml. And archived it into a jar file and added to the lib folder under WebContet/WEB-INF and build it to the path and it worked.
*To archive it into a jar file I used windows command move ESAPI ESAPI.jar
Look at the various scripts under 'src/examples/scripts' and they will show you one easy way to control where the ESAPI.properties files is found. (This is for ESAPI 2.0 or later.)
You will find a copy of the ESAPI.properties file will be under 'configuration/esapi'.
精彩评论